Istio + Kubernetes:网关多个 TLS 证书
[英]Istio + Kubernetes: Gateway more than one TLS Certificate
问题描述
I have a Kubernetes cluster with multiple tenants (in different namespaces).
我有一个 Kubernetes 集群有多个租户(在不同的命名空间中)。 I'd like to deploy an independent Istio Gateway object into each tenant, which I seem to be able to do.我想在每个租户中部署一个独立的 Istio Gateway 对象,我似乎可以做到。 However, setting up TLS requires a K8s secret that contains the TLS key/cert.但是,设置 TLS 需要包含 TLS 密钥/证书的 K8s 机密。 The docs indicate that the "secret must be named istio-ingressgateway-certs in the istio-system namespace".文档指出“秘密必须在 istio-system 命名空间中命名为 istio-ingressgateway-certs”。 This would seem to indicate that I can only have one TLS secret per cluster.这似乎表明每个集群只能有一个 TLS 机密。 Maybe I'm not reading this correctly.也许我没有正确阅读这个。 Is there a way to configure independent Istio Gateways in their own namespaces, with their own TLS secrets?有没有办法在他们自己的命名空间中配置独立的 Istio 网关,使用他们自己的 TLS 秘密? How might I go about doing that?我该怎么做呢?
Here is the doc that I'm referencing.这是我引用的文档。
https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/ https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/
Any thoughts are much appreciated.任何想法都非常感谢。
1 个解决方案
解决方案1
2 已采纳 2020-01-03 10:41:42
As provided on istio documentation it's possible.正如istio 文档中提供的那样,这是可能的。
In this section you will configure an ingress gateway for multiple hosts, httpbin.example.com and bookinfo.com.
So You need to create private keys, in this example, for bookinfo and httbin , and update istio-ingressgateway.因此,在本例中,您需要为bookinfo和httbin创建私钥,并更新 istio-ingressgateway。
I created them both and they exist.我创造了它们并且它们存在。
bookinfo certs and gateway bookinfo 证书和网关
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-bookinfo-certs
lrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.key -> ..data/tls.key
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https-bookinfo
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt
privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key
hosts:
- "bookinfo.com"
httpbin certs and gateway httpbin 证书和网关
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs
lrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.key -> ..data/tls.key
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin.example.com"
Haven't made a full reproduction to check if they both works but if that won't work for You i will try to make it and update the question.尚未进行完整复制以检查它们是否都有效,但如果这对您不起作用,我将尝试制作并更新问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.